±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 36303
New Yesterday: 2 Visitors: 119

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

XWays Forensics

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5  Next 
  

armresl
Senior Member
 

Re: XWays Forensics

Post Posted: Aug 08, 10 19:37

Tap Tap Tap...

Good thoughts Paul.


- sandy771
- MrWh1t3


Interview wise I think one would be better off learning FTK or EnCase, but XWays seems like a GREAT tool for the price.


What an odd thing to say. As someone who has been an interviewer in the past I would not really care whether you had used either of these packages - frankly you can pick up the basics in a day. I would however be very interested in what you know about file system fundamentals, the structure of the registry, meta data in world files, what sort of information is left behind by P2p applications, how you would go about determining what is left behind for an app you had never seen......

It is not what you use but what you do with it. That you had gone out and spent your own money on encase would not impress one bit.

_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 
 
  

clownboy
Member
 

Re: XWays Forensics

Post Posted: Aug 08, 10 21:10

If the aim is to get experience to allow you to get a job in a forensic shop then purchasing the full versions of forensic tools would not be required.

First off you will also probably start out doing acquisitions so I would practice these and there are a ton of free and heavily used tools available (FTK Imager, versions of helix, Raptor, Caine, a new one I haven’t tested yet, Paladin, etc.) Second, if you get a job in a shop, it would be very rare for you to need your own tools on a job. Most shops will have EnCase and probably FTK . In the rare cases where you will need, or be allowed to use, your own tools you can just install the versions and use the company dongles. Third, if you buy your own tools you will end up paying a lot in yearly maintenance fees. You will save a lot of money starting off with free tools and demos.

As noted in a comment above the FTK demo version is a limited working version of FTK. With EnCase if you get the EnCase Certified Examiner study guide you also get a limited working version of EnCase v6. The benefit of the EnCase study guide is that you also get case files and instructions to work with. With both tools you can easily work on small data sets such as found on a floppy, flash drive, disk media or hdd. Put in some practice with these free tools and you can gain the experience you need to put on a resume.

I would also suggest listening to the Forensic 4-Cast podcast, episode 31, you will learn an interesting bit about getting hired in a forensic company.

If you are going contacting well, that is a different story. I contract and my main tool is X-Ways with FTK as a backup. I do acquisitions with a number of tools. I do not own EnCase and I have let my FTK maintenance lapse.  
 
  

armresl
Senior Member
 

Re: XWays Forensics

Post Posted: Aug 08, 10 22:37

You can't get the experience you need by using only trial tools.

Think of it from this standpoint also, if you were interviewing for a job and the person said so what kind of experience do you have with FTK or Encase, Well I have encase acquisition and FTK demo and have used both a lot.

I can from my own experience and from talking to others say that while data is supposed to be "it is what it is" it doesn't always get interpreted that way by tools. Why do we cross validate, just for that reason. If x ways gets a certain result, are you going to cross validate with a trial version (this may work for just messing around with files) but if you ever had a real case, that wont fly. Also, while it may have been read that ABC software is a fully functional version with the exception of a file number, there are often other restrictions placed on software which aren't widely known.

One other thing I would say is that working on a small data set from a CD, floppy, thumbdrive, etc. is far from a good representation of what is encountered in actual cases.
_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 
 
  

armresl
Senior Member
 

Re: XWays Forensics

Post Posted: Aug 08, 10 22:43

- chad131
Can't you find access to a dongle to prep without spending your own $$$? Lab time @ a college/university, borrow one over a weekend, apply for an EnCE and use the certification version, or have someone forward a dongle to you using USB over Ethernet?



I am not sure about how you do things, but I don't loan my dongle to anyone, and the dongle is licensed to a specific person or company, loaning it or letting someone borrow it could possibly invalidate any work done using that and for sure will be frowned upon by most in the community and by the developers of the software. What if something happens to that dongle while you have it, then the owner has to explain why it broke and how. Not worth it IMHO.

Even if you are using the dongle for prep, people in this community seem to follow guidelines and EULA's.
_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 
 
  

jaclaz
Senior Member
 

Re: XWays Forensics

Post Posted: Aug 08, 10 23:02

- armresl
You can't get the experience you need by using only trial tools.


But you also cannot get it with "full" versions.

Experience is made by experience Wink , it means you need to have a few months/years of work, NOT a few weeks training/studying, no matter if with the trial or with the "real" thing, what you miss are the real life cases, not the tools.

At the most you may get familiar with the specific tool's options (and this is the same, or mostly the same on any trial/limited version).

On the other hand, I presume that the job is intended towards a "junior", not a "senior" forensic examiner or whatever, and probably it will be first job, so the company cannot at the same time ask for experience AND allow a "first timer".... Rolling Eyes

jaclaz  
 
  

dietro
Senior Member
 

Re: XWays Forensics

Post Posted: Aug 09, 10 01:46

- Rampage
and it's less expansive Smile


I'm pretty sure you meant expensive, but in actuality, the typo is just as accurate. Wink  
 
  

armresl
Senior Member
 

Re: XWays Forensics

Post Posted: Aug 09, 10 03:00

I don't believe there should be a junior or a senior forensic examiner. Either you know your material or you don't, and if you know your material
then you will land a job, if you don't then it will show itself.

Actually you can get more experience on "full" tools where functionality has been shut off for those full tools. If you've never examined a specific mailbox type and in the trial version that feature is shut off then you will never gain experience unless you have a full version or another tool.

As far as the not missing the tools idea, you do miss the tools, especially if you go to a shop which only uses a specific tool and then guess what you don't know how to validate with any other tool, or you run into a piece of data which your shops tool wont read.

This is not the type of business to be frugal on, and while buying a tool unnecessarily is not a great idea, being a one trick pony is equally as bad.






- jaclaz
- armresl
You can't get the experience you need by using only trial tools.


But you also cannot get it with "full" versions.

Experience is made by experience Wink , it means you need to have a few months/years of work, NOT a few weeks training/studying, no matter if with the trial or with the "real" thing, what you miss are the real life cases, not the tools.

At the most you may get familiar with the specific tool's options (and this is the same, or mostly the same on any trial/limited version).

On the other hand, I presume that the job is intended towards a "junior", not a "senior" forensic examiner or whatever, and probably it will be first job, so the company cannot at the same time ask for experience AND allow a "first timer".... Rolling Eyes

jaclaz

_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 
 

Page 4 of 5
Page Previous  1, 2, 3, 4, 5  Next